#!

###########################
# System Settings Global
###########################
config system global
set admin-concurrent enable 
set admin-console-timeout 0
set admin-https-pki-required disable 
set admin-https-redirect disable 
set admin-https-ssl-versions tlsv1-1 tlsv1-2 
#
# To increase security SSLv3.0, TLS 1.0 as TLS 1.1 can be
# disabled for admin access. By default TLS 1.1 as 1.2 are
# activated.
#
#set admin-https-ssl-versions tlsv1-2
#
# To increse security following "cipher" can be deactivated:
#
# aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
#
#set strong-crypto enable
#
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-login-max 100
set admin-maintainer enable 
set admin-port 80
set admin-reset-button disable 
set admin-scp disable 
set admin-sport 8443
set admin-ssh-grace-time 120
set admin-ssh-port 22
set admin-ssh-v1 disable 
set admin-telnet-port 23
set admintimeout 15
set allow-traffic-redirect enable 
set anti-replay strict 
set arp-max-entry 131072
set auth-cert Fortinet_Factory 
set auth-http-port 1000
set auth-https-port 1003
set auth-keepalive disable 
set av-failopen pass 
set av-failopen-session disable 
set batch-cmdb enable 
set block-session-timer 30
set br-fdb-max-entry 8192
set cert-chain-max 8
set cfg-save automatic 
set check-protocol-header loose 
set check-reset-range disable 
set clt-cert-req disable 
set csr-ca-attribute  enable 
set daily-restart disable 
set dst enable 
set endpoint-control-fds-access enable
#set endpoint-control-portal-port 8009
set explicit-proxy-auth-timeout 300
set fds-statistics enable 
set fgd-alert-subscription advisory latest-threat 
set forticlient-reg-port 8010
set fortiextender disable 
set fortiextender-data-port 25246
set gui-antivirus enable 
set gui-ap-profile enable  
set gui-application-control enable  
#
# Central Nat-Table disabled because this feature are not longer 
# supported under FortiOS 5.4. When you need a SourceNat then 
# use  "dynamic IP pool" by policy option
set gui-central-nat-table disable 
#
set gui-certificates enable  
set gui-custom-language enable  
set gui-dhcp-advanced enable  
set gui-dlp enable 
set gui-dns-database enable 
set gui-dynamic-profile-display disable 
set gui-dynamic-routing enable  
set gui-endpoint-control enable 
set gui-explicit-proxy disable 
set gui-fortiap-split-tunneling enable  
set gui-icap disable 
set gui-implicit-policy enable 
set gui-ips enable 
set gui-ipsec-manual-key disable
set gui-ipv6 disable 
set gui-lines-per-page 50
set gui-load-balance disable 
set gui-local-in-policy enable 
set gui-multicast-policy enable 
set gui-multiple-utm-profiles enable 
set gui-object-tags enable 
set gui-policy-based-ipsec disable 
set gui-replacement-message-groups enable 
set gui-spamfilter enable 
set gui-sslvpn-personal-bookmarks enable 
set gui-sslvpn-realms enable 
set gui-threat-weight enable 
set gui-traffic-shaping enable 
set gui-utm-monitors enable 
set gui-voip-profile disable 
set gui-vpn enable 
set gui-vulnerability-scan disable 
set gui-wan-load-balancing disable
set gui-wanopt-cache disable 
set gui-webfilter enable 
set gui-webfilter-advanced enable 
set gui-wireless-controller enable 
set gui-wireless-opensecurity enable 
set honor-df enable 
set hostname mydomain1-sg0e0 
set http-obfuscate modified 
set internal-switch-mode interface 
set ip-src-port-range 1024-25000
set ipsec-hmac-offload enable 
set ipv6-accept-dad 1
set language english 
set ldapconntimeout 500
set lldp-transmission disable 
set log-uuid policy-only 
set login-timestamp enable 
set management-vdom root 
set max-dlpstat-memory 5
set miglogd-children 0
set ndp-max-entry 0
set optimize-ssl enable 
set phase1-rekey enable 
set policy-auth-concurrent 0
set post-login-banner disable 
set pre-login-banner disable 
set radius-port 1812
set refresh  0
set registration-notification enable 
set remoteauthtimeout 5
set reset-sessionless-tcp disable 
set revision-backup-on-logout enable 
set revision-image-auto-backup enable 
set send-pmtu-icmp enable 
set service-expire-notification enable 
set special-file-23-support disable 
set ssh-cbc-cipher enable 
set ssh-hmac-md5 enable 
set sslvpn-cipher-hardware-acceleration enable 
#set sslvpn-kxp-hardware-acceleration enable 
set sslvpn-plugin-version-check enable 
set strict-dirty-session-check enable 
set strong-crypto disable 
set sys-perf-log-interval 5
set tcp-option enable
#
# Session tuning parameter "default":
# 
#set tcp-halfclose-timer 120
#set tcp-halfopen-timer 10
#set tcp-timewait-timer 1
#set udp-idle-timer 180
#
# Session tuning parameter "tuned":
# 
set tcp-halfclose-timer 30
set tcp-halfopen-timer 30
set tcp-timewait-timer 0
set udp-idle-timer 60
#
# Set timezone with correpsonding number:
#
# 26    (GMT+1:00)Amsterdam,Berlin,Bern,Rome,Stockholm,Vienna
#
set timezone 26
set traffic-priority tos 
set traffic-priority-level medium 
set two-factor-email-expiry 60
set two-factor-ftm-expiry 72
set two-factor-sms-expiry 60
set udp-idle-timer 180
set user-server-cert Fortinet_Factory 
set vdom-admin disable 
set vip-arp-range restricted 
set wifi-ca-certificate PositiveSSL_CA 
set wifi-certificate Fortinet_Wifi 
set wimax-4g-usb disable 
set wireless-controller enable 
#set wireless-controller-port 5246
set fds-statistics-period 60
end
###########################
# System Settings
###########################
config system settings
set opmode nat 
set firewall-session-dirty check-all 
set bfd disable 
set utf8-spam-tagging enable 
set wccp-cache-engine disable 
set vpn-stats-log ipsec pptp l2tp ssl 
set vpn-stats-period 600
set v4-ecmp-mode source-ip-based 
set dhcp-proxy disable 
set gui-default-policy-columns "#" "policyid" "srcintf" "dstintf" "srcaddr" "dstaddr" "schedule" "service" "groups" "action" "profile" "logtraffic" "nat" "count"
set lldp-transmission global 
set asymroute disable 
set ses-denied-traffic disable 
set strict-src-check disable 
set asymroute6 disable 
set sip-helper disable 
set sip-nat-trace disable 
set status enable 
set sip-tcp-port   5060
set sip-udp-port 5060
set sccp-port 2000
set multicast-forward enable 
set multicast-ttl-notchange disable 
set allow-subnet-overlap disable 
set deny-tcp-with-icmp disable 
set ecmp-max-paths 10
set discovered-device-timeout 28
set email-portal-check-dns enable 
set default-voip-alg-mode proxy-based
end
###########################
# System Settings Central-Management
###########################
config system central-management 
set mode normal 
set type fortimanager
set fmg "3.3.3.3"
#set fmg-source-ip 0.0.0.0
set schedule-config-restore enable 
set schedule-script-restore enable 
set allow-push-configuration enable 
set allow-pushd-firmware enable 
set allow-remote-firmware-upgrade enable 
set allow-monitor enable 
#set serial-number 
set vdom root 
set enc-algorithm default
#config server-list
#edit 1
#set server-type upate 
#server-address 0.0.0.0
#end
end
###########################
# System Settings Admin
###########################
config system admin
edit admin
set accprofile "super_admin"
set vdom "root"
set password only4mydomain1!
next
edit "FMG-Admin-mydomain1"
set trusthost1 3.3.3.3 255.255.255.255
set accprofile "super_admin"
set comments "Administrator to be used for FortiManager"
set vdom "root"
set password only4mydomain1!
end
###########################
# System Settings Interface
###########################
#config system interface
#edit internal1
#set netbios-forward enable
#end
###########################
# System Settings DDNS
###########################
config system ddns
edit 1
set monitor-interface "wan1"
set ddns-server FortiGuardDDNS
set ddns-domain "mydomain1-sg0e0.fortidyndns.com"
next
end
###########################
# System Settings DNS
###########################
config system dns
set primary 8.8.8.8
set secondary 8.8.4.4
set domain "mydomain1.local"
set cache-notfound-responses disable
set dns-cache-limit 5000
set dns-cache-ttl 1800
end
###########################
# System Settings NTP
###########################
config system ntp
set ntpsync enable
set type custom
set syncinterval 360
#set server-mode enable
#set interface "internal"
config ntpserver
edit 1
set server "ch.pool.ntp.org"
set ntpv3 disable 
next
end
end
###########################
# System Settings FortiGuard
###########################
config system fortiguard
set port 8888 
set webfilter-cache enable 
set webfilter-cache-ttl 7200
set webfilter-timeout 15
set avquery-cache enable 
set avquery-cache-ttl 1800
set avquery-cache-mpercent 2
set avquery-timeout 7
set antispam-cache enable 
set antispam-cache-ttl 1800
set antispam-cache-mpercent 2
set antispam-timeout 7
end
###########################
# System Settings Console
###########################
config system console
set mode line 
set baudrate 9600
set output more 
set login enable 
# WARNING: this option will disable USB management access.
# In the event of an unrecoverable failure, a system reset will be required.
# Do you want to continue? (y/n)y
#set fortiexplorer disable
end
###########################
# System Settings Auto-Install
###########################
#
# Deactivate auto-install-config/image
# from USB disk.
#
config system auto-install 
set auto-install-config disable 
set auto-install-image disable  
set default-config-file fgt_system.conf 
set default-image-file image.out 
end
###########################
# System Settings Autoupdate Schedule
###########################
# 
# Activate autoupdate go get utm updates
# like antivirus, ips etc.
#
config system autoupdate schedule
set status enable 
set frequency every 
set time 06:00
# If "frequency" is set to weekly define one "day"
#
#set day Monday
#
end
#
# Deactivate push updates for fortiguard.
#
config system autoupdate push-update 
#set address 0.0.0.0
#set override disable 
#set port 9443
set status disable
end
###########################
# System Network-Visibility
###########################
config system network-visibility 
set destination-visibility enable
set source-location enable
set destination-hostname-visibility enable
set hostname-ttl 86400
set hostname-limit 5000
set destination-location enable
end